在OpenSSH 8.2中更改sshd端口后,我发现ssh指纹发生了变化。这让我很惊讶,因为我以为它只是依赖于公钥。
指纹取决于什么?左舷是它的一部分吗?
经过仔细检查,密钥似乎从ssh-rsa更改为ecdsa-sha2-nistp256。看起来服务器有多个密钥文件。是什么决定了使用的密钥以及可能导致更改的原因?
我还没有找到官方文档,但遇到了类似的困惑,所以只是尝试了一下。
指纹中的主机名(在.ssh/known_hosts中(是散列的,但你可以用ssh-keygen -H -F 'remote'(你会看到Host remote found...(来检查它们
如果您使用的是默认端口(22(,那么当您第一次运行ssh remote时,指纹将只包含主机名。你可以用ssh-keygen -H -F 'remote'(你会看到Host remote found...(检查
现在,如果您将remote上的sshd端口更改为1234,ssh似乎仍然对此感到满意,因为它尝试在没有端口的情况下与主机名进行匹配。您可以通过-v标志看到:
$ ssh -v remote -p 1234
debug1: Authenticating to remote:1234 as 'user'
...
debug1: checking without port identifier
debug1: Host 'remote' is known and matches the ECDSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:11
但是,如果第一次ssh到remote上是使用自定义端口(ssh remote -p 1234(,那么它似乎记得端口为的主机名
ssh-keygen -H -F 'remote'--不会产生任何结果ssh-keygen -H -F '[remote]:1234'—导致匹配
ssh输出也略有变化,现在正在检查主机和端口:
$ ssh -v remote -p 1234
...
debug1: Host '[remote]:1234' is known and matches the ECDSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:12
...
现在,如果您将远程sshd端口更改为其他端口,比如回到22,并运行ssh remote,ssh将无法验证主机,因为它只知道[remote]:1234,而不知道remote。(我想理论上它仍然可以根据.ssh/known_hosts检查所有65535个端口,并给出更友好的错误消息(。
关于密钥选择:相同的-v标志在这里可能会有所帮助:
...
debug1: Will attempt key: /home/user/.ssh/id_rsa RSA <redacted> agent
debug1: Will attempt key: /home/user/.ssh/id_dsa
debug1: Will attempt key: /home/user/.ssh/id_ecdsa
debug1: Will attempt key: /home/user/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/user/.ssh/id_ed25519
debug1: Will attempt key: /home/user/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/user/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<redacted>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/user/.ssh/id_rsa RSA <redacted> agent
debug1: Server accepts key: /home/user/.ssh/id_rsa RSA <redacted> agent
...